Why Risk Management?
By coincidence recently, I had been reading about foundational concepts in risk management as they apply within security programs, and then shortly after that I found myself in a conference center filled with security professionals of which I think many of them could have used the information in this article.
So, here I am. In this short article I will present those big ideas from risk management that are highly relevant to security professionals like ourselves. (Admittedly, I am no expert! This is something that I am studying, and I wanted to share what might be most useful with you).
* I’ll be using this text as my primary reference for what follows, therefore, there is a (slight) bias toward framing ideas in terms of protecting information assets: “Certified Information Systems Security Professional: Official Study Guide (8th edition)” by ISC2.
Getting Our Definitions in Order
Risk Management: the process of identifying, evaluating, and preventing or reducing risks, with the primary goal of reducing risk to an acceptable level
Asset: anything that should be protected
Asset Valuation: dollar value assigned to an asset
Threat: a potential occurrence that may cause an undesirable or unwanted outcome
Vulnerability: the weakness(es) of an asset that make the realization of a threat possible
Risk: the likelihood that a threat will exploit a vulnerability to cause harm to an asset (Risk = Threat x Vulnerability)
Safeguard (aka countermeasure or security control): anything that removes or reduces a vulnerability; use of safeguards is the only way to reduce risk
Attack: the exploitation of a vulnerability by a threat agent
Breach: the occurrence of a security mechanism being bypassed by a threat agent
Exposure: being susceptible to asset loss because of threats
As defined by ISC2, “risk management is a detailed process of identifying factors that could damage or disclose data, evaluating those factors in light of data value and countermeasure cost, and implementing cost-effective solutions for mitigating or reducing risk”. The authors go on to state, “the primary goal of risk management is to reduce risk to an acceptable level”.
Primary Ways to Respond to Risk
When we are aware of a risk, there are several ways for us to address it.
Risk Mitigation: the implementation of countermeasures to reduce vulnerabilities
Risk Transfer (Assign): when the cost of a loss is placed on another entity or organization (example: to outsource or to purchase insurance)
Risk Acceptance: when it is reasonable to accept the consequences of a risk if realized; this is often a choice made when the cost of countermeasures is greater than the cost of the loss if the risk event occurs
Risk Deterrence: the process of implementing deterrents for would-be violators of security measures or policy (example: auditing, signage, cameras, etc.)
*Risk Avoidance: completely eliminate the cause of a risk (example: eliminate the risk of a tornado by moving the facility from Oklahoma to California)
*Risk Rejection: to deny or ignore a risk (never an acceptable course of action)
And how do we get started?
First, you must select a risk assessment methodology: Qualitative or Quantitative.
For a quantitative assessment, we would assign dollar figures to assets, while a qualitative assessment would lead us to assign subjective values to assets. Often, a hybrid of the two are used since it is the case that not every asset can be attached to a specific dollar figure (example: brand, reputation, employee loyalty, etc.).
More Definitions (Getting Mathematical)
Asset Value (AV): the value assigned to an asset
Exposure Factor (EF): if a threat is realized, this percentage of the asset is lost
Single Loss Expectancy (SLE): the expected cost if a threat materializes
Annualized Rate of Occurrence (ARO): the likelihood (risk) of a threat being realized within a single year
Annualized Loss Expectancy (ALE): this figure represents how much money the organization can expect to lose per year due to a specific threat. It is calculated by multiplying SLE x ARO.
The six major steps of a quantitative risk analysis:
1. Assign Asset Value (AV): all assets are inventoried and assigned a value.
2. Research each asset and create a list of all possible threats to each individual asset. For each threat, calculate Exposure Factor (EF) -- if the threat is realized, what percentage of the asset is lost?
Example: “If severe hail occurs (our threat), what percentage (EF) of the campus’s CCTV equipment will be lost?” Then for each threat, calculate Single Loss Expectancy (SLE) -- “What is the cost associated with each individual threat if it materializes?”
Single Loss Expectancy (SLE) = Asset Value (AV) x Exposure Factor (EF)
Or stated this way...
SLE = AV x EF
3. Find your Annualized Rate of Occurrence (ARO). Analyze your threats and calculate the likelihood (risk) of each threat being realized within a single year. ARO can range from 0.00 (meaning that there is a zero percent probability of the threat occurring in a single year) to any positive number based on the circumstance.
4. Calculate Annualized Loss Expectancy (ALE), to find out the overall loss potential per threat, per year.
Annualized Loss Expectancy (ALE) = Single Loss Expectancy (SLE) x Annualized Rate of Occurrence (ARO)
Or stated this way...
ALE = SLE x ARO
5. Research countermeasures for each threat, then calculate the changes to the ARO and ALE based on the newly applied countermeasure. When considering applying countermeasures, each countermeasure will impact the ARO (reducing the number of times a threat materializes) and EF because it can potentially reduce the resulting damage.
6. Perform a cost / benefit analysis of each safeguard, for each threat, to each asset. Then select the most appropriate response/safeguard for each threat. We should measure the cost of potential safeguards (including deployment, maintenance, etc.) against the value of the asset to be protected. As a general rule, if the cost of a safeguard is greater than the value of the asset, then the risk should be “accepted”.
(ALE pre-safeguard — ALE post-safeguard) — Annual Cost of Safeguard (ACS)
= the value of the safeguard to the organization
Or stated this way...
(ALE1 — ALE2) — ACS = the value of the safeguard to the organization
*If the result is negative, then the safeguard is not a financially responsible option. If the result is positive, then the result represents annual savings to the organization by deploying the safeguard.
This was a relatively dense 1,250 words, and I hope it serves as a helpful overview or reference for you to come back to (or to share with your colleagues). Again, I am not an authority on risk management. And everything in this article may not match perfectly with ASIS’s publications since I used ISC2’s manual as a reference.
That said, I hit nearly every major risk management idea that applies to us. I hope you can find a few helpful morsels here to express your security recommendations in financial/risk management terms. Cheers!
Never miss an article by signing up for the EP Nexus email list—Click Here.
And here’s a couple resources that you may find interesting to continue learning about risk management:
Guide To Effective Risk Management 3.0 - By Alex Sidorenko - Download Here
The Risk and Insurance Management Society (RIMS) - Learn more
The Risk Management Process for Federal Facilities (2017) - Download Here
Risk Academy Blog - Learn More
About the EP Nexus Blog
The EP Nexus executive protection blog, is a comprehensive resource for security professionals involved in executive protection, protective intelligence, threat assessment, and related fields.
Launched in March of 2016 as a resource for executive protection professionals, command center gurus, and close protection know-it-alls, EP Nexus is quickly becoming a resource for those seeking to quench their thirst for executive protection reading.
The most popular section of the blog is Executive Protection Hacks. EP Hacks is a series in which we address complex topics (one topic per issue) in a convenient collection of tools & writings. I am actively collaborating with industry leaders to produce future issues. If you're interested in taking an active approach in moving your industry into the future, contact me below.
Outside of EP Hacks, I explore the following topics in writings, tutorials, and webinars: online tools for executive protection professionals, open source intelligence investigations (OSINT), threat assessment, protective intelligence, travel security, and more.
Sign up for the newsletter to receive premium content and monthly updates.